12.05.2016

SQL Server 2016

Security Obscurity and Encryption

Andreas Wolter Owner: Sarpedon Quality Lab Database Architect | MCSM, MCM, MVP 1

Andreas Wolter

Consultant, Trainer & Speaker Microsoft Certified Master SQL Server 2008 + Solutions Master Data Platform (SQL Server 2012) • Datawarehouse & OLTP-System Architecture • Performance Tuning • Security

Email: [email protected] Web: www.andreas-wolter.com Blog: www.insidesql.org/blogs/andreaswolter/ Facebook: www.facebook.com/SarpedonQualityLab LinkedIn: www.linkedin.com/in/andreaswolter Twitter: @AndreasWolter

SQL Server SSAS, SSRS, SSIS

3

1 12.05.2016

Agenda

 Intro: SQL Server under Attack  Overview of Investments for 2016  Application Access

 Row level Security, Dynamic Data Masking

 Demo

 Side-Channel Attacks  Data Encryption

 Always Encrypted

 Demo

 A word on SQL-Injection  Q&A

4

SQL Server under Attack

5

2 12.05.2016

Note

 Encryption at rest does not protect against all attacks  In fact no protection alone protects all attack surfaces or attack vectors

6

7

3 12.05.2016

9

10

4 12.05.2016

RLS Limitations

• Does not protect against ad-hoc access (Side channel attacks are possible)! • incompatible with Filestream • incompatible with Polybase • No indexed views • Change Data Capture & CT can leak data

11

RLS: Learn More

Books Online https://msdn.microsoft.com/en-us/library/dn765131.aspx SQL Security Blog (keyword RLS) http://blogs.msdn.com/b/sqlsecurity/archive/tags/rls/ Overview blog post http://blogs.technet.com/b/dataplatforminsider/archive/2016/01/21/limiting-access-to-data-using-row-level- security.aspx Channel 9 Videos https://channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-Updates https:// channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-in-Azure-SQL-Database https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Row-Level-Security Code Samples https://rlssamples.codeplex.com/

12

5 12.05.2016

13

14

6 12.05.2016

Dynamic Data Masking: Learn More

Getting Started (Azure SQL DB) https://azure.microsoft.com/documentation/articles/sql-database-dynamic-data-masking-get-started/

MSDN (SQL Server) https://msdn.microsoft.com/library/mt130841.aspx

Blogs http://blogs.msdn.com/b/sqlsecurity/archive/2015/10/22/dynamic-data-masking-highlighting-the-latest- improvements.aspx https://azure.microsoft.com/blog/limit-the-exposure-of-sensitive-data-in-azure-sql-database-using- dynamic-data-masking/

Channel 9 Videos: https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-Updates https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-in-Azure-SQL-Database

15

Dynamic Data Masking Limitations

• A masking rule cannot be defined for the following column types: • Computed columns (whether persisted or not)

• – but will be masked if one of the refered columns is • Encrypted columns (Always Encrypted)

• Since SQL Server really does not know the plain data • Generated always (temporal) • FILESTREAM • COLUMN_SET

16

7 12.05.2016

Sample Health Care Application

DDM & RLS

17

18

8 12.05.2016

Always Encrypted  Prevents Data Disclosure SQL Server 2016 SQL Database (GA)  Application Transparency  Queries against Encrypted Data

Helps With

 Protection from high-privileged, yet unauthorized users

 Compliance Scenarios

 Health, finance, insurance

19

Health Care Demo Cont’d

Always Encrypted How it looks: Using it all Together

20

9 12.05.2016

21

Always Encrypted Limitations

• https://msdn.microsoft.com/en-us/library/mt163865.aspx • http://blogs.sqlsentry.com/aaronbertrand/t-sql-tuesday-69-always-encrypted- limitations/ • Unsupported data types • xml, rowversion, image, ntext, text, sql_variant, hierarchyid, geography, geometry, alias, user defined-types • FILESTREAM, non-bin2 collations, ROWGUIDCOL, Sparse column set • Columns referenced by statistics • default constraints • Columns that are masked • temporal tables • memory optimized tables • Stretched tables • Not supported Features: • Transactional or merge replication

22

10 12.05.2016

Always Encrypted: Learn More

 Books Online  https://msdn.microsoft.com/en-us/library/mt163865.aspx

 SQL Security Blog (keyword Always Encrypted)  http://blogs.msdn.com/b/sqlsecurity/archive/tags/always+encrypted/

 Channel 9 Videos  https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Always- Encrypted  https://channel9.msdn.com/Shows/Data-Exposed/Getting-Started-with-Always- Encrypted-with-SSMS

23

Other security enhancements

 Audit success/failure of database operations  Enhanced auditing for OLTP with ability to track history of record changes  Transparent Data Encryption support for storage of In-memory OLTP Tables  Backup encryption now supported with compression  Transparent Data Encryption with support for Intel AES-NI hardware acceleration

11 12.05.2016

Azure SQL Database Threat Detection

 4 PM

 Azure SQL Database Security - Microsoft product team

 Ron Matchoro (Microsoft)

 Dome 3

27

Q&A

28

12 12.05.2016

Thank you

Andreas Wolter

Contact: [email protected] LinkedIn: www.linkedin.com/in/AndreasWolter Twitter: @AndreasWolter

29

Sarpedon Quality Lab: Your Specialist for Database-Systems based on SQL Server Technologies We are one of only 2 companies worldwide who have reached the highest technical certifications from Microsoft for SQL Server 2008 as well as SQL Server 2012!

We love to support you and use our know-how to your advantage.

our Services cover: • SQL Server Health checks • Performance Analysis & Tuning • Disaster-Recovery & SLA-Compliance-Checks • Security-Checks • Data Rescue in case of corruption • Architecture-Planning, Consulting and Implementation

• Training:

Ask us: [email protected] 30

13